Denial of Service

WORLDS ATTAKS
Denial of service ( DOS
)

- Too many requests for a particular

web site “clog the pipe” so that no
one else can access the site
- Also the using of land attack
Possible impacts:
-May reboot your computer
-Slows down computers-Certain
sites
-applications become inaccessible
. **you are off
Where are you
 Every one has to
know that they
come from 3
places
– New Files”
– “Viewed Content”
– “Exposed
Services
Where they come from
 Unwanted email with
attachments you weren’t
expecting
 Downloaded programs
from the internet that
come from less than
trustworthy locations
 File Sharing Programs
(P2P)
 Websites that will
“install” things for you

The more open doors

your computer has, the
more chance of
someone coming in
What is Denial of Service
?Attack
 “Attack in which the primary goal
is to deny the victim(s) access to
a particular resource.”
 A "denial-of-service" attack is
characterized by an explicit
attempt by attackers to prevent
legitimate users of a service from
using that service.
 How to take down a
restaurant Restauranteur

Saboteur
 Table for four
at 8 o’clock. O.K., Restauranteur
Name of Mr. Smith. Mr. Smith

Saboteur

Saboteur vs.
Restauranteur
 Restauranteur

Saboteur No More Tables!

 Denial-of-service attacks are
most frequently executed
against network connectivity.
The goal is to prevent hosts or
networks from communicating
on the network. An example of
this type of attack is the "SYN
flood" attack
Categories of DOS attack
 Bandwidth attacks
 Protocol exceptions
 Logic attacks
 A bandwidth attack is the oldest and
most common DoS attack. In this
approach, the malicious hacker
saturates a network with data traffic.
A vulnerable system or network is
unable to handle the amount of
traffic sent to it and subsequently
crashes or slows down, preventing
legitimate access to users.
 A protocol attack is a trickier
approach, but it is becoming quite
popular. Here, the malicious
attacker sends traffic in a way
that the target system never
expected, such as when an
attacker sends a flood of SYN
packets.
 The third type of attack is a logic
attack. This is the most advanced type
of attack because it involves a
sophisticated understanding of
networking. A classic example of a logic
attack is a LAND attack, where an
attacker sends a forged packet with the
same source and destination IP
address. Many systems are unable to
handle this type of confused activity
and subsequently crash.
Types
 Types of DoS Attacks
The infos here introduce the
common types of DoS attacks,
many of which can be done as a
DDoS attack.
 PING OF DEATH
A Ping of Death attack uses Internet
Control Message Protocol (ICMP) ping
messages. Ping is used to see if a host is
active on a network. It also is a valuable
tool for troubleshooting and diagnosing
problems on a network. As the following
picture, a normal ping has two messages:
 BUT
 With a Ping of Death attack, an echo packet is sent that is
larger than the maximum allowed size of 65,536 bytes. The
packet is broken down into smaller segments, but when it is
reassembled, it is discovered to be too large for the
receiving buffer. Subsequently, systems that are unable to
handle such abnormalities either crash or reboot.
 You can perform a Ping of Death from within Linux by typing
ping –f –s 65537. Note the use of the –f switch. This switch
causes the packets to be sent as quickly as possible. Often
the cause of a DoS attack is not just the size or amount of
traffic, but the rapid rate at which packets are being sent to
a target.

Tools:-
-Jolt -SPing-ICMP Bug -IceNewk
Smurf and Fraggle

A Smurf attack is another DoS attack

that uses ICMP. Here, an request is sent
to a network broadcast address with
the target as the spoofed source. When
hosts receive the echo request, they
send an echo reply back to the target.
sending multiple Smurf attacks directed
at a single target in a distributed
fashion might succeed in crashing it.
 If the broadcast ping cannot be sent
to a network, a Smurf amplifier is
instead. A Smurf amplifier is a network
that allows the hacker to send
broadcast pings to it and sends back a
ping response to his target host on a
different network. NMap provides the
capability to detect whether a network
can be used as a Smurf amplifier.
 A variation of the Smurf attack is a
Fraggle attack, which uses User
Datagram Protocol (UDP) instead of
ICMP. Fraggle attacks work by using the
CHARGEN and ECHO UDP programs that
operate on UDP ports 19 and 7. Both of
these applications are designed to
operate much like ICMP pings; they are
designed to respond to requesting hosts
to notify them that they are active on a
network.
LAND Attack
 In a LAND attack, a TCP SYN packet is sent
with the same source and destination address
and port number. When a host receives this
abnormal traffic, it often either slows down or
comes to a complete halt as it tries to initiate
communication with itself in an infinite loop.
Although this is an old attack (first reportedly
discovered in 1997), both Windows XP with
service pack 2 and Windows Server 2003 are
vulnerable to this attack.
HPing can be used to craft packets with the
same spoofed source and destination address.
Synchronous flood
 A SYN flood is one of the
oldest and yet still most
effective DoS attacks. As a
review of the three-way
handshake, TCP
communication begins with a
SYN, a SYN-ACK response,
and then an ACK response.
When the handshake is
complete, traffic is sent
between two hosts.
but in our case the using of the syn flood
for the 3 way handshaking is taking
another deal, that is the attacker host
will send a flood of syn packet but will
not respond with an ACK packet.The
TCP/IP stack will wait a certain amount of
time before dropping the connection, a
syn flooding attack will therefore keep
the syn_received connection queue of
the target machine filled.
With a SYN flood attack, these rules are
violated. Instead of the normal three-way
handshake, an attacker sends a packet from a
spoofed address with the SYN flag set but does
not respond when the target sends a SYN-ACK
response. A host has a limited number of half-
open (embryonic) sessions that it can maintain
at any given time. After those sessions are used
up, no more communication can take place until
 the half-open sessions are cleared
out. This means that no users can
communicate with the host while
the attack is active. SYN packets
are being sent so rapidly that
even when a half-open session is
cleared out, another SYN packet
is sent to fill up the queue again.
 SYN floods are still successful today for three
reasons:
1) SYN packets are part of normal, everyday traffic,
so it is difficult for devices to filter this type of
attack.
2) SYN packets do not require a lot of bandwidth to
launch an attack because they are relatively
small.
3) SYN packets can be spoofed because no
response needs to be given back to the target. As
a result, you can choose random IP addresses to
launch the attack, making filtering difficult for
security administrators.
An example: TCP SYN
flooding
“TCP
“TCPconnection,
connection,please.”
please.”

“O.K.Please
“O.K. Pleasesend
sendack.”
ack.”

Buffer
 Now we may categorize the DOS
in to 3 parts depending on the
number of characters.
Direct Single-tier DoS
Attacks

– Straightforward 'point-to-point'
attack, that means we have 2 actors
hacker and victim.
– Examples
 Ping of Death
 SYN floods

 Other malformed packet attacks

Direct Dual-tier DoS
Attacks
– More complex attack model
– Difficult for victim to trace and
identify attacker
– Examples
 Smurf
Direct Triple-tier DDoS
Attacks
– Highly complex attack model, known as
Distributed Denial of Service (DDoS).
– DDoS exploits vulnerabilities in the very
fabric of the Internet, making it virtually
impossible to protect your networks
against this level of attack.
– Examples
 TFN2K

 Stacheldraht

 Mstream
The Components of a DDoS
Flood Network

– Attacker
 Often a hacker with good networking and
routing knowledge.
– Master servers
 Handful of backdoored machines running

DDoS master software, controlling and

keeping track of available zombie hosts.
– Zombie hosts
 Thousands of backdoored hosts over the

world
Distributed Denial of Service
Attack (DDoS)
In and around early 2001 a new type of
DoS attack became rampant, called a
Distributed Denial of Service attack, or
DDoS. In this case multiple comprised
systems are used to attack a single
target. The flood of incoming traffic to the
target will usually force it to shut down.
Like a DoS attack, In a DDoS attack the
legitimate requests to the affected
system are denied. Since a DDoS attack it
launched from multiple sources, it is often
more difficult to detect and block than a
DoS attack.
Results expected
 Denial-of-service attacks can essentially
disable your computer or your network.
Depending on the nature of your
enterprise.
 Some denial-of-service attacks can be
executed with limited resources against a
large, sophisticated site. This type of
attack is sometimes called an
"asymmetric attack." For example, an
attacker with an old PC and a slow modem
may be able to disable much faster and
more sophisticated machines or networks.
 Forms

– attempts to "flood" a network, thereby

preventing legitimate network traffic
– attempts to disrupt connections
between two machines, thereby
preventing access to a service
– attempts to prevent a particular
individual from accessing a service
– attempts to disrupt service to a specific
system or person
Defense
Internet Service Providers
 Deploy source address anti-spoof
filters (very important!).
 Turn off directed broadcasts.
 Develop security relationships with
neighbor ISPs.
 Set up mechanism for handling
customer security complaints.
 Develop traffic volume monitoring
techniques.
High loaded machines
 Look for too much traffic to a particular
destination.
 Learn to look for traffic to that
destination at your border routers
(access routers, peers, exchange
points, etc.).
 Can we automate the tools – too many
queue drops on an access router will
trigger source detection? (bl..
 Disable and filter out
all unused UDP services.
Also
 Routers, machines, and all other
Internet accessible equipment should
be periodically checked to verify that
all security patches
have been installed
 System should be checked periodically
for presence of malicious software
(Trojan horses, viruses, worms, back
doors, etc.)
 Train your system and network administrators
 Read security bulletins like:
www.cert.org , www.sans.org , www.eEye.com
 From time to time
listen on to attacker community
to be informed about their latest achievements
 Be in contact with your ISP.
In case that your network is being attacked,
this can save a lot of time
Can both do better some
day
 ICMP Traceback message.
 Warning –this technique is
untested idea practically.
 ICMP
 It’s a message that usually used to
indicate for errors at the net, request not
complete, router not reachable.
 While in TCP and UDP it has different
story, it used mainly to check the
communication between nodes, goes as
echo message request (ping) to
determine:-
1-host is reachable.
2-how long packets it takes long to get

and from the host.

ICMP Traceback
It’s the way that we determine the
real source attacker specially in the
dos attack and it’s kinds, so we are
going to the original point in
backtracking way.
there is 2 methods:-
1-IP logging .
2-IP marking .
ICMP Traceback
 In IP logging we have an log
information that is stored at the
routers in tables, at each router, when
we traceback we get all the table and
finally get the source.
 While in the IP marking we each router
used to add an traffic and defining info
to each packet then it has the real
source.
ICMP Traceback
 For a very few packets (about 1 in
20,000), each router will send the
destination a new ICMP message
indicating the previous hop for that
packet.
 Net traffic increase at endpoint is
about .1% -- probably acceptable.
 Issues: authentication, loss of
traceback packets, load on routers.
 Overview

What happens these

days on
Throw away requests
Client ” Server
llo?
“ He

“Hello?”
“He
llo?
”

Buffer

Problem: Legitimate clients must keep retrying

IP Tracing (or
Syncookies)
Server
Client

Hi. My name is Request

10.100.16.126.

Buffer

Problems:
•Can be evaded, particularly on, e.g., Ethernet
Digital signatures
Server
Client

Buffer
Problems:
•Requires carefully regulated PKI
•Does not allow for anonymity
Connection timeout
Server

Problem: Hard to achieve balance between security

and latency demands
 A Solution: client puzzle

by Juels and Brainard

with improvement by Wang and
Reiter
Intuition
Please solve this
Table for four
puzzle.
at 8 o’clock. O.K.,O.K.
Name of Mr. Smith. Mr. Smith
Intuition
Suppose:

 A puzzle takes an hour to solve

 There are 40 tables in restaurant
 Reserve at most one day in
advance
The client puzzle
protocol
Service request R Server
Client

Buffer

O.K.
What does a puzzle look
?like
Puzzle basis: partial hash
inversion
k bits
? X’ X ?
pre-image
partial-image
160 bits

hash

image Y

Pair (X’, Y) is k-bit-hard puzzle

Puzzle construction

Client Server

Service request R

Secret S
 Puzzle construction
Server computes:
secret S time T request R

hash
Puzzle
pre-image X

hash

image Y
Puzzles cannot always
be used
 The attack may be performed on
Phones, SMS,MMS or physical e-
mail
 It may not be possible to add
puzzles
 Sometimes, the adversary will be
more powerful than normal users
(e.g., computer vs. cell phone.)